lzo: Handle integer overflow

get_len can overflow for specially crafted payload.

Reported-By: Don A. Baley <donb@securitymouse.com>
CC: libav-stable@libav.org
This commit is contained in:
Luca Barbato 2014-06-19 23:26:58 +02:00
parent e121ac634b
commit ccda51b14c

View File

@ -80,6 +80,10 @@ static inline void copy(LZOContext *c, int cnt)
{
register const uint8_t *src = c->in;
register uint8_t *dst = c->out;
if (cnt < 0) {
c->error |= AV_LZO_ERROR;
return;
}
if (cnt > c->in_end - src) {
cnt = FFMAX(c->in_end - src, 0);
c->error |= AV_LZO_INPUT_DEPLETED;
@ -103,7 +107,7 @@ static inline void copy(LZOContext *c, int cnt)
/**
* @brief Copies previously decoded bytes to current position.
* @param back how many bytes back we start
* @param cnt number of bytes to copy, must be >= 0
* @param cnt number of bytes to copy, must be > 0
*
* cnt > back is valid, this will copy the bytes we just copied,
* thus creating a repeating pattern with a period length of back.
@ -111,6 +115,10 @@ static inline void copy(LZOContext *c, int cnt)
static inline void copy_backptr(LZOContext *c, int back, int cnt)
{
register uint8_t *dst = c->out;
if (cnt <= 0) {
c->error |= AV_LZO_ERROR;
return;
}
if (dst - c->out_start < back) {
c->error |= AV_LZO_INVALID_BACKPTR;
return;